CVE-2024-1522
Severity CVSS v4.0:
Pending analysis
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
30/03/2024
Last modified:
15/08/2025
Description
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:* | 9.0 (including) | 9.2 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b
- https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71
- https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b
- https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71